Agones Allocator's verifyClientCertificate method does not properly handle intermediate certificates

[josiahp]

What happened:
When presenting a client certificate with an intermediate certificate, the error x509: certificate signed by unknown authority is returned despite the chain being correct.

In verifyClientCertificate the intermediate certificates are iterated upon and then added here:

agones/cmd/allocator/main.go

Line 416 in 8062a04

opts.Intermediates.AppendCertsFromPEM(cert)

However, the contents of rawCerts is not PEM-encoded, but ASN.1 raw binary data. Because the result of AppendCertsFromPEM is not checked, the error goes unnoticed. The certificates should instead be handled as raw binary data, such as in the example below:

	for i, cert := range rawCerts[1:] {
		c, err := x509.ParseCertificate(cert)
		if err != nil {
			logger.WithError(err).Warning("cannot parse intermediate certificate")
			return errors.New("bad client certificate: " + err.Error())
		}
		opts.Intermediates.AddCert(c)
	}

What you expected to happen:
I expected the intermediate certificate to be properly handled as binary data.

How to reproduce it (as minimally and precisely as possible):

1. Create a Root CA
2. Create an Intermediate CA
3. Create a client certificate from the Intermediate CA
4. Attach the Intermediate CA's public key to the client certificate's public key
5. Configure the Root CA (do not add the Intermediate CA) as the Allocation Client CA
6. Configure a GRPC client (in my case) to connect to the Agones Allocator GRPC server
7. Connect

Anything else we need to know?:

Environment:

• Agones version: 1.19.0 (but I have referenced the code in the main branch when I reproduced the error locally)
• Kubernetes version (use kubectl version): v1.21.11-gke.1100
• Cloud provider or hardware configuration: GKE
• Install method (yaml/helm): helm